problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((

Piff ss342il at gmail.com
Wed Jun 23 07:34:45 UTC 2010


Mark,

more than once you have blamed firewal but I have tested without
firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig +dnssec".
The real problem is bind.  Freshly reloaded bind will do a query with
OPT EDNS0 set and after a timeout  retry the query without OPT EDNS0
but
after some time the queries are only with OPT EDNS0 set. Why? Why no
fallback?  My machines are running version 9.6-ESV-R1 and 9.4-ESV-R2.

-Sai




In message <201006220016.o5M0G7J4024038 at drugs.dv.isc.org>, Mark
Andrews writes:
>
> Mark Andrews writes:
> >
> > In message <4C1F85EF.5070901 at rula.net>, =?UTF-8?B?Um9rIFBvdG/EjW5paw==?= wr
> it
> > es
> > :
> > > Anyway.. I found out what the problem is... they don't reply to dnssec
> > > enabled requests...
> > >
> > > $ dig +short @ns33.domaincontrol.com. replacementservices.com.
> > > 72.32.12.235
> > >
> > > $ dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com.
> > > ;; connection timed out; no servers could be reached
> > >
> > > wanna boycott godaddy?
> > >
> > > --
> > > LP, Rok
> >
> > They DO respond.  Look at your firewall.
> >
> > % dig +short @ns33.domaincontrol.com. replacementservices.com.
> > 72.32.12.235
> > % dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com.
> > 72.32.12.235
> > %
> >
> > Mark
>
> I suspect that your firewall is dropping replies to EDNS queries
> that *don't* include the OPT record (i.e. they are plain DNS not
> EDNS responses).   Note that there was no OPT record in the reply.
>
> ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. replacementservices
> .com.
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36916
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;replacementservices.com.	IN	A
>
> ;; ANSWER SECTION:
> replacementservices.com. 3600	IN	A	72.32.12.235
>
> ;; AUTHORITY SECTION:
> replacementservices.com. 3600	IN	NS	ns33.domaincontrol.com.
> replacementservices.com. 3600	IN	NS	ns34.domaincontrol.com.
>
> ;; Query time: 184 msec
> ;; SERVER: 216.69.185.17#53(216.69.185.17)
> ;; WHEN: Tue Jun 22 10:12:45 2010
> ;; MSG SIZE  rcvd: 109
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

You can stop named making EDNS queries to these servers using
the server statement while you fix your firewall.

e.g.

server 216.69.185.17 {
	edns no;
};

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list